Some malware sites to block 26/1/12

Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.

Eonix, Canada
173.213.93.203
clostescape.com

Zerigo, US
173.248.190.37
chilleloot.com

Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com

Ixvar, Canada
174.142.247.164
clostery.com

Hostforweb, US
205.234.187.6
sulusient.com

Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com

Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com

Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com

Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com

Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com

Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com

NACHA Spam / chillechart.com and chillepay.com

More fake NACHA spam leading to malware, this time the malicious payload is at chillechart.com on 96.126.96.123 (Linode, New Jersey).

Date:      Thu, 25 Jan 2012 10:40:06 +0100
From:      "alerts@nacha.org" [alerts@nacha.org]
Subject:      Your pending ACH debit transfer

Dear Account Holder,

This message includes an important notice about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    766253676295142
Transaction status:    pending

In order to resolve this matter, we prompt you to check the details of your transaction using the link below.

Faithfully yours,
Stephanie Barrera
Accounting Department

This follows the same pattern we have seen over the past few days. A Wepawet report for the malicious page is here. Blocking the IP address rather than the domain should block any other malicious sites on the server.

Update:  chillepay.com is also being used in this spam run, hosted on 69.164.199.231 (also Linode)

FDIC spam / splatstack.net

More FDIC spam leading to malware, this time at splatstack.net.

Date:      Mon, 19 Dec 2011 05:32:49 -0600
From:      "Greta Bullock"
Subject:      Blockage of your transactions

Attn: Financial Department


By this message we would like to inform you about the latest amendments in the Federal Deposit Insurance Corporation coverage rules. During the period from December 31, 2010 to December 31, 2012 all funds in a "noninterest-bearing transaction account" are provided with a full insurance coverage by the Federal Deposit Insurance Corporation. Please note, that this arrangement is temporary and separate from the Federal Deposit Insurance Corporation's basic insurance rules.

The term "noninterest-bearing transaction account" implies a usual checking account or demand deposit account on which the insured depository institution pays no interest. For more information about this temporary FDIC unlimited coverage, please refer to: http://iimtstudies.com/e3f4e0/index.html

Yours faithfully,
Greta Bullock
Federal Deposit Insurance Corporation

The link goes via a couple of hacked sites to a malicious payload splatstack.net/main.php?page=abfd0d069b45c17e hosted on 173.255.253.115 (Linode). Blocking access to that IP address will probably be prudent.

NACHA Spam / badthen.com

More NACHA spam, this time leading to a malicious payload on badthen.com. Stupidly (again) the NACHA email appears to come from linkedin.com.

Date:      Wed, 14 Dec 2011 05:36:48 +0900
From:      "LinkedIn" [linkedin@em.linkedin.com]
Subject:      ACH transfer suspended

The ACH transaction (ID: 137297301664), recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
Rejected transfer
Transaction ID:     137297301664
Rejection Reason     See details in the report below
Transaction Report     report_137297301664.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

The malware is on badthen.com/main.php?page=977334ca118fcb8c  hosted on 173.230.130.158 (Linode, US). Blocking the IP address will block any other malware domains on the same server.

NACHA Spam / sadjumped.com / downloaddatafast.serveftp.com

 More fake NACHA spam, this time leading to a malicious payload site on downloaddatafast.serveftp.com/main.php?page=977334ca118fcb8c on 173.230.137.34 (Linode, US).

Date:      Tue, 13 Dec 2011 14:15:51 +0100
From:      "LinkedIn" [linkedin@em.linkedin.com]
Subject:      ACH transaction not accepted

The ACH transfer (ID: 82065701523728), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.
Canceled transfer
Transaction ID:     82065701523728
Rejection Reason     See details in the report below
Transaction Report     report_82065701523728.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

serveftp.com is related to no-ip.com, if you block that domain then you should probably block serveftp.com as well. Blocking 173.230.137.34 would protect against any other malicious sites on the same server.

Update: another spam run is in progress using a domain sadjumped.com on the same server.

zoombanner.com / YieldManager malvertisement on ebuddy.com

ebuddy.com is running a malicious ad on the zoombanner.com domain, apparently managed by Yieldmanager.

First, the "legitimate" end of the malware chain loads at ad.zoombanner.com/content?campaign=1171557&sz=6
This forwards to deliver.commismanderakis.com/rotate?m=2;b=6;c=1;z=585778
Which goes to content.fishpotboutademalled.com/track/3388182/S_IT?[snip]
Then img.commismanderakis.com/img?XAhIPWtICDkJX0FVHXUDKFoRYhYlRxFCNlsBGEhLBEtVdRdiCRYKBA8kKV9RHBEaXFJfXFMHAQ
Followed by the payload domain at jduvazuc.info/cgi-bin/dep
then jduvazuc.info/cgi-bin/dep/j006102Hd793447cR55e239b8T9cc338b5V0100f060203L69740000000000000000
then jduvazuc.info/cgi-bin/dep/o006102203317l0010Hd793447cR55e239b8T9cc338b6V0100f060
Finally jduvazuc.info/cgi-bin/dep/e006102203318l0010Hd793447cJ0d000601R55e239b8T9cc338a4U0ec2fc77V0100f0600

This last hop tries to load an executable (and probably some other crap I haven't spotted), not very well detected according to VirusTotal. Oh yes, there's a PDF exploit too.

The malicious ad is an Italian language vacation banner in this case.


Most of the domains have anonymous registration details, except zoombanner.com which has the same details that were used in the malicous ads featured here and here.

zoombanner.com

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Domain Name: ZOOMBANNER.COM
Created on: 24-Jul-09
Expires on: 24-Jul-10
Last Updated on: 24-Jul-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Domain servers in listed order:
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

A search for the IP addresses show Linode is providing most of the infrastructure (again) with ezzi.net providing the payload server.

ad.zoombanner.com
69.164.215.205, 69.164.215.204 [Linode]

deliver.commismanderakis.com
74.207.232.205, 74.207.232.206, 74.207.232.248, 74.207.232.249, 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203 [Linode]

content.fishpotboutademalled.com
69.164.196.55 [Linode]

jduvazuc.info
216.150.79.74 [AccessIT / ezzi.net]

Incidentally, 69.164.196.55 also hosts a bunch of domains which are probably malicious:

• Aspoutceringlapham.com
• Baalcootymalachi.com
• Bangywhoaswaikiki.com
• Bertbleepedupsurge.com
• Bluegumgodfulfrowzly.com
• Bookletjigsawsenam.com
• Boursesdeployporomas.com
• Cabullacoexertstephen.com
• Camastuthbroomer.com
• Camocaexcidealaric.com
• Cursarophitkamass.com
• Dunnishbribesteen.com
• Dusaexsurgeenzed.com
• Eelfishminibusdaniel.com
• Enyopensilflux.com
• Fishpotboutademalled.com
• Galasynjingkoendoss.com
• Gombayuranidetripper.com
• Haileschoralephydra.com
• Haredjuvenalalkyds.com
• Hoofishsmutsdela.com
• Jigmenbrasschaves.com
• Jumnamontanodillon.com
• Limanadernaggly.com
• Malabarvoiotiahsln.com
• Mashlampeasewahima.com
• Miauwbustianraynold.com
• Mowewindsortejo.com
• Nahshufrosterpappus.com
• Negreetflurtagma.com
• Nitrotowelvidovic.com
• Oaterhabeasroyalet.com
• Ospswraxledfummel.com
• Oundycelticrecomb.com
• Pcdosbahnerdalea.com
• Pealedlupulicdunker.com
• Polarlyfoetiskart.com
• Potwareabipondeana.com
• Psatchargeehewart.com
• Puddyolderrippon.com
• Sallierdiaushawed.com
• Sarddieterchuted.com
• Scullogmooerslarking.com
• Siwardupttorntrib.com
• Skouthlazordurning.com
• Suttenbnetifla.com
• Tacomanheathsdisodic.com
• Temperabiceswayaka.com
• Teughlyhesperegerek.com
• Toterterrenobrasero.com
• Vaccarykakkakcaddoan.com
• Viperanmeatsoths.com
• Viznomyboohoorigs.com
• Voluntyseventechny.com
• Wartedbiterhunter.com
• Woodardvirgetoruli.com
• Yawybottlersuccahs.com
• Zirklehalavahhaunchy.com

I suspect that you probably wouldn't miss much by null-routing Linode completely at the moment.

More malvertisment domains

The malicious ads were running through (and I understand now terminated by) bootcampmedia.com, related to this post, according to commenter cerdo:

Blogger cerdo said...

bootcampmedia.com was also likely hosting a malicious campaign yesterday afternoon, and perhaps still ongoing. I'd contact you Jamie, but I don't have contact info for you. This all is clearly closely related to Dynamoo's post...

traffic.worldseescolor.com is an obvious bad actor. The other related domains:
deliver.bailagequinismregrow.com
img.bailagequinismregrow.com
content.cabullacoexertstephen.com

as well as:
aanserver88.com
bonnapet.com
afkenai.com
bfskul.com

14 January 2010 18:40

Blogger cerdo said...

Yep - saw traffic.worldseescolor.com via bootcamp again less than 30 minutes ago.

Related sites, accessed immediately after traffic.worldseescolor.com:

deliver.boaterdunnagechicot.com
img.boaterdunnagechicot.com

14 January 2010 18:45

Worth checking your logs for and blocking in case they turn up on another network. Checking IPs comes up with:

traffic.worldseescolor.com
69.164.215.208, 69.164.215.210, 69.164.215.205, 69.164.215.207, 69.164.215.204 [Linode]

deliver.bailagequinismregrow.com
74.207.232.205, 74.207.232.250, 74.207.232.249, 74.207.232.248, 74.207.232.203, 74.207.232.30, 74.207.232.206, 74.207.232.31, 74.207.232.39, 74.207.232.25, 74.207.232.202, 74.207.232.35 [Linode]

img.bailagequinismregrow.com
174.143.243.220, 98.129.238.102, 98.129.238.106, 98.129.236.239, 174.143.245.236, 98.129.237.14, 174.143.242.109, 174.143.243.90, 98.129.236.154, 98.129.238.101, 98.129.238.112, 98.129.236.254, 174.143.241.174, 98.129.238.105, 98.129.238.103, 174.143.243.162, 174.143.242.58, 98.129.238.99
[Slicehost / Rackspace]

content.cabullacoexertstephen.com
69.164.196.55 [Linode]

aanserver88.com
67.225.149.152 [Liquid Web]

bonnapet.com
Was 217.20.114.40 [Netdirekt / internetserviceteam.com] now appears to be down.

afkenai.com
195.2.253.93 [Madet Ltd, Moscow]

bfskul.com
195.2.253.93 [Madet Ltd, Moscow]

I don't have the full trace of these, so it's not exactly clear what these domains are doing in the reported chain.

BoingBoing.net / Bootcampmedia.com ad leads to malware

A malicious ad running on BoingBoing.net is delivering visitors to a PDF exploit.

Given the complicated state of advertising arbitrage, it is unlikely that BoingBoing.net have much control over it. The ad appears to be loading in from ad.yieldmanager.com (which is Yahoo!) and/or ad.z5x.net (DSNR Media Group) both of which are hosted on the same multihomed IP addresses.

The ad itself (pictured) appears to be some sort of get-rich-quick scheme or other.

This ad then directs through ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?z=BootCamp&dim=335848 to traffic.firedogred.com/content?campaign=1219131&sz=2 (this combination of bootcampmedia.com and firedogred.com has been noted before)

The ad then hops to deliver.amerchibchapowered.com/rotate?m=5;b=2;c=1;z=243826 then content.baalcootymalachi.com/track/3388182/S_SE?[snip] loading an image from img.amerchibchapowered.com along the way.

Finally, the visitor is directed to chohivyb.info/cgi-bin/aer/[snip] which contains an exploit detected as Troj/PDFJs-GI by Sophos.

"Boot Camp Media" is run by a guy called Jamie Dalgetty of Guelph, Ontario in Canada. It's unlikely that he's a bad guy, more likely that his ad network is being exploited by a malcious third party.

traffic.firedogred.com is rather more interesting, multihomed on 69.164.215.204, 69.164.215.205, 69.164.215.207, 69.164.215.208 and 69.164.215.210 at Linode, New Jersey. The domain firedogred.com is slightly interesting:

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)

Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM

trafficbuyer@gmail.com has been used for these malicious domains for some months and is well known.

deliver.amerchibchapowered.com is also multihomed at Linode on 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203, 74.207.232.205, 74.207.232.206, 74.207.232.248 and 74.207.232.249. The domain was registered on 7th January 2010 and is hidden by DomainsByProxy.

content.baalcootymalachi.com is hosted on 69.164.196.55 at Linode again, again registered on 7th January via DomainsByProxy.

img.amerchibchapowered.com is hosted on a large number of servers at 174.143.243.90, 174.143.243.162, 174.143.243.220, 174.143.245.236, 98.129.236.154, 98.129.236.239, 98.129.236.254, 98.129.237.14, 98.129.238.99, 98.129.238.101, 98.129.238.102, 98.129.238.103, 98.129.238.105, 98.129.238.106, 98.129.238.112, 174.143.241.174, 174.143.242.58, 174.143.242.109 - these are all hosted at Slicehost.com which is a customer of Rackspace.

Finally, chohivyb.info is hosted on 216.150.79.74 which is some outfit called ezzi.net of New York owned by another outfit called AccessIT. No prizes for guessing that chohivyb.info has been registered only very recently with anonymous details.

216.150.79.74 is a well-known malware server, and that hosts the following domains which you can assume are malicious:

• Ablxsr.info
• Ajgdrt.info
• Alevfq.info
• Alfwqr.info
• Alrpsl.info
• Ameronada.info
• Bnzbfz.info
• Bodxmt.info
• Bplimo.info
• Briliantio.info
• Bvqlag.info
• Bzjsqk.info
• Ccwarj.info
• Cityopicos.info
• Clthth.info
• Ctksji.info
• Dasyxe.info
• Dbivoh.info
• Dgltup.info
• Dpuefh.info
• Dtjblp.info
• Enhmqq.info
• Enqpqk.info
• Euespj.info
• Exmxfd.info
• Fblooe.info
• Fdwghs.info
• Fopqde.info
• Fprvsu.info
• Frgbat.info
• Fymjjz.info
• Gelvmf.info
• Gnautw.info
• Gnysgg.info
• Gredotcom.info
• Grupodanot.info
• Grxqog.info
• Gukuny.info
• Gyckjq.info
• Hagijd.info
• Haqdsc.info
• Hgtbng.info
• Hjdnps.info
• Hyiyyi.info
• Iakecg.info
• Iaoaxz.info
• Iewwpn.info
• Ijaflj.info
• Iohbvo.info
• Jhrubd.info
• Jokirator.info
• Kbwstb.info
• Kibfsz.info
• Klamniton.info
• Ktebkx.info
• Kxlglw.info
• Leeloe.info
• Lgcezx.info
• Lkraat.info
• Lktcaj.info
• Llchqs.info
• Lnmrjz.info
• Lokitoreni.info
• Lqhczk.info
• Lywavy.info
• Lyzocu.info
• Mallstern.info
• Manaratora.info
• Megafrontan.info
• Mesxql.info
• Mngmjc.info
• Monsatrik.info
• Montrealt.info
• Mruvienno.info
• Mrvsnq.info
• Nalszu.info
• Ncnzfh.info
• Neiaea.info
• Nigrandara.info
• Njcmug.info
• Npmkrr.info
• Ntaxkj.info
• Obzdkn.info
• Ocftfa.info
• Optugj.info
• Otfcco.info
• Owpwhi.info
• Pbrugb.info
• Plxxii.info
• Pncgfd.info
• Ppusmb.info
• Prbakn.info
• Qdinql.info
• Qgxelo.info
• Qqtwft.info
• Realuqitor.info
• Refrentora.info
• Retuvarot.info
• Rfouce.info
• Rljysj.info
• Rocqdn.info
• Roeaaj.info
• Semqef.info
• Snosrz.info
• Spgsgh.info
• Stqvqw.info
• Swrapz.info
• Tcoqgo.info
• Tehfnn.info
• Top-lister1.info
• Transforltd.info
• Tsfxzg.info
• Tyenxv.info
• Ugrdzf.info
• Uliganoinc.info
• Urupnk.info
• Utpxno.info
• Uyguau.info
• Vbqfdm.info
• Veqibp.info
• Vkfaao.info
• Vwwtlp.info
• Wddifv.info
• Wdhcvv.info
• Wdokxd.info
• Wevoratora.info
• Wtstds.info
• Wvkjxx.info
• Wvlsam.info
• Xbhmws.info
• Xbxynl.info
• Xcisup.info
• Xxiyrv.info
• Ybeaxd.info
• Yfntrg.info
• Yqjxkj.info
• Ywbxen.info
• Zdkaki.info
• Zhwtqz.info
• Zlpbha.info
• Znkwjc.info
• Zqpwco.info

Unlocker.org.uk is located on the same server, but it doesn't seem to fit in with the malware delivery and perhaps it is best to assume that it is a coincidence.

Obviously block or null-route these destinations as you feel fit, and do not purchase any ads from firedogred.com!

Added: You probably want to block these too..

216.150.79.76

• Cacorq.info
• Clxhbz.info
• Dgrxqh.info
• Diwiowano.info
• Dmdurz.info
• Funkol.info
• Geetol.info
• Gitoer.info
• Gondiroda.info
• Gutrandin.info
• Hizfek.info
• Hopore.info
• Ivgzda.info
• Jopqae.info
• Kolpao.info
• Nadotraza.info
• Niraynome.info
• Ofahitino.info
• Oirjsa.info
• Ornotivec.info
• Pirtaf.info
• Popsto.info
• Rellok.info
• Ruhcsy.info
• Sacmtf.info
• Sdoras.info
• Tapiroten.info
• Tiizwb.info
• Traxemere.info
• Ulmqmq.info
• Vivibt.info
• Xsxydj.info
• Yuncdjbiw.info
• Yyoqny.info

216.150.79.77

• Bnodas.info
• Brasilianstoree.info
• Byzypub.info
• Depahugu.info
• Gionasodor.info
• Giratunes.info
• Gyreal.info
• Hlopki.info
• Huerin.info
• Igerinsar.info
• Jcafuzixa.info
• Joketarona.info
• Koevoru.info
• L-iza.info
• Laryju.info
• Manocoraz.info
• Nbuuf.info
• Npefu.info
• Nvihobepo.info
• Pe-aqemop.info
• Pyneh.info
• Retiof.info
• Rzajexu.info
• Tolkienad.info
• Tymane.info
• Typolazu.info
• Vfoxoe.info
• Wanitale.info
• Yawibyve.info
• Ydiuvy.info
• Zoimie.info

Suspect ad network leads to PDF exploit

This was picked up from an ad apparently running on grooveshark.com

An ad from ad.technoratimedia.com loads an ad from ad.yieldmanager.com.. so far, pretty normal.

The next step is:
ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?ajecscp=1254835789307&z=BootCamp&dim=335848

This domain is protected by DomainsByProxy, registered in December 2007 and is hosted 208.113.133.105.

The site has the following contact details:

Address

Bootcamp Media
121 Wyndham St. N.
Suite 202
Guelph, Ontario, Canada
N1H 4E9
Phone

1-519-515-0094
Fax

1-519-515-0151

Bootcampmedia.com has a near-zero profile, but it may well be a legitimate company.

After this, the visitor starts to go well off the beaten track. The next hop is traffic.firedogred.com/content?campaign=1219131&sz=2

firedogred.com is registered to:

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --

That email address of trafficbuyer@gmail.com is well known. The subdomain traffic.firedogred.com is dual-homed on 207.57.97.233 and 161.58.56.25 (both NTT America, Inc).

The next hop is show.sheathssubtotal.info/rotate?m=3;b=2;c=0;z=406377

sheathssubtotal.info was regisitered on 17th September with the same "trafficbuyer@gmail.com" contact details as firedogred.com.

show.sheathssubtotal.info is dual homed on 140.174.93.100, 161.58.192.228 (both NTT America, Inc).

Yet another hop, this time to content.neighbanner882.info/track/3388081/S_SE?{munged}

neighbanner882.info was created on 7th August 2009, registered to trafficbuyer@gmail.com (again). content.neighbanner882.info is hosted on 69.164.196.55 at some outfit called Linode.

Yet another hop, this time to winckag.com which is currently down but was hosted on 89.149.251.71 (Netdirekt E.k) who are pretty well known for hosting bad sites (but they may well have nuked this one already, and if so.. well done!)

The owners of winckag.com have something to hide..

Registrant:
Contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA

Domain name: WINCKAG.COM


Administrative Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
Technical Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457


Registration Service Provider:
domainsnext.com, Sales@DomainsNext.com
+1.9494979623
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.


Registrar of Record: TUCOWS, INC.
Record last updated on 04-Oct-2009.
Record expires on 04-Oct-2010.
Record created on 04-Oct-2009.

Registrar Domain Name Help Center:
http://domainhelp.tucows.com

Domain servers in listed order:
NS1.WINCKAG.COM 200.63.45.62
NS2.WINCKAG.COM 200.63.45.62

This loads an image from img.sheathssubtotal.info/120x600/54019.gif multihomed on 174.143.241.174, 174.143.243.90, 174.143.243.162 (some sort of cloud hosting) and then loads the following:
winckag.com/base/data/p29.php
winckag.com/base/data/vou.png

Those nameservers on 200.63.45.62 are interesting, that's PanamaServer.com who are well known for supporting malware.

Finally, winckag.com appears to try to load a Troj/PDFJs-DY trojan onto the victim's machine.

You should certainly avoid ads running on firedogred.com, sheathssubtotal.info, neighbanner882.info, winckag.com or any domain registered to trafficbuyer@gmail.com. Make up your own mind about Boot Camp Media - these small ad networks are very often targeted by the bad guys, but they really need to get their act together.